[jira] [Updated] (RANGER-1575) Some users hope that the pid file of the Ranger Admin can be unified management when they integrate Ranger into the big data platform or business systems to uniform inst

[peng.jianhua (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-1575?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

peng.jianhua updated RANGER-1575:
-
Description: 
Some users hope that the pid file of the Ranger Admin can be unified management 
when they integrate Ranger into the big data platform or business systems to 
uniform install and run Ranger. 
We should support the need in the case of compatibility with existing logic. 
When running ranger, users can set the pid file to meet their own needs.

We will explicitly document this change in the next release.


  was:
Some users hope that the pid file of the Ranger Admin can be unified management 
when they integrate Ranger into the big data platform or business systems to 
uniform install and run Ranger. 
We should support the need in the case of compatibility with existing logic. 
When running ranger, users can set the pid file to meet their own needs.


> Some users hope that the pid file of the Ranger Admin can be unified 
> management when they integrate Ranger into the big data platform or business 
> systems to uniform install and run Ranger.
> 
>
> Key: RANGER-1575
> URL: https://issues.apache.org/jira/browse/RANGER-1575
> Project: Ranger
>  Issue Type: New Feature
>  Components: admin
>Affects Versions: 1.0.0
>Reporter: peng.jianhua
>Assignee: peng.jianhua
>Priority: Minor
>  Labels: patch
> Fix For: 1.0.0
>
>
> Some users hope that the pid file of the Ranger Admin can be unified 
> management when they integrate Ranger into the big data platform or business 
> systems to uniform install and run Ranger. 
> We should support the need in the case of compatibility with existing logic. 
> When running ranger, users can set the pid file to meet their own needs.
> We will explicitly document this change in the next release.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Re: Review Request 59227: RANGER-1576: Show attribute values to tags column in audit log

[Gautam Borad]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59227/#review174884
---


Ship it!




Ship It!

- Gautam Borad


On May 12, 2017, 12:02 p.m., Gautam Borad wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59227/
> ---
> 
> (Updated May 12, 2017, 12:02 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, 
> Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1576
> https://issues.apache.org/jira/browse/RANGER-1576
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Currently in the access audit log record (Audit Menu-> admin tab), the tags 
> column is populated when the accessed resource has any tags associated with 
> it. 
> However, if the tag has any attributes, their values are not shown in the 
> audit log record. As authorization decision may be based on the 
> attribute-value(s) as well as tag-type (such as in the case of expiry_date 
> attribute’s value for EXPIRES_ON tag-type), they too need to be populated and 
> displayed on audit log record.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js 
> 08aa95acc14d0b3e2e73b3b9ef8d9406af4f980f 
>   security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 
> b98e2cc96cfe4b683ac2929546e1951633c1bb94 
>   security-admin/src/main/webapp/styles/xa.css 
> 06ef1d0b4b74717c6c4723a18b4ac7a53dcc7079 
> 
> 
> Diff: https://reviews.apache.org/r/59227/diff/1/
> 
> 
> Testing
> ---
> 
> Tested that on the Audits page, all records that has tag attributes are shown 
> as hyper link and on clicking on these the attritubes are shown.
> 
> 
> Thanks,
> 
> Gautam Borad
> 
>

[jira] [Resolved] (RANGER-1577) Update Ranger-WASB servicedefinition to remove Execute permission and disallow policies with a trailing slash

[Velmurugan Periasamy (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-1577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy resolved RANGER-1577.
--
Resolution: Fixed

Patch committed. 

master - 
https://git-wip-us.apache.org/repos/asf?p=ranger.git;a=commit;h=fe999c662ff15640502c3378b9ce50be41612dec

ranger-0.7 - 
https://git-wip-us.apache.org/repos/asf?p=ranger.git;a=commit;h=b8738de30bc49b64858b2d09e0eb033e04a326a6

> Update Ranger-WASB servicedefinition to remove Execute permission and 
> disallow policies with a trailing slash
> -
>
> Key: RANGER-1577
> URL: https://issues.apache.org/jira/browse/RANGER-1577
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: master
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
> Fix For: master
>
>
> Update Ranger-WASB servicedefinition to remove Execute permission and 
> disallow policies with a trailing slash



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Updated] (RANGER-1577) Update Ranger-WASB servicedefinition to remove Execute permission and disallow policies with a trailing slash

[Velmurugan Periasamy (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-1577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-1577:
-
Fix Version/s: (was: master)
   0.7.1
   1.0.0

> Update Ranger-WASB servicedefinition to remove Execute permission and 
> disallow policies with a trailing slash
> -
>
> Key: RANGER-1577
> URL: https://issues.apache.org/jira/browse/RANGER-1577
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: master
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
> Fix For: 1.0.0, 0.7.1
>
>
> Update Ranger-WASB servicedefinition to remove Execute permission and 
> disallow policies with a trailing slash



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Re: Review Request 59245: RANGER-1577:Update Ranger-WASB servicedefinition to remove Execute permission and disallow policies with a trailing slash

[Velmurugan Periasamy]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59245/#review174879
---


Ship it!




Ship It!

- Velmurugan Periasamy


On May 12, 2017, 10:01 p.m., Ramesh Mani wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59245/
> ---
> 
> (Updated May 12, 2017, 10:01 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, and Velmurugan 
> Periasamy.
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-1577:Update Ranger-WASB servicedefinition to remove Execute permission 
> and disallow policies with a trailing slash
> 
> 
> Diffs
> -
> 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-wasb.json 
> 038ebaf 
> 
> 
> Diff: https://reviews.apache.org/r/59245/diff/1/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>

[jira] [Updated] (RANGER-1578) Ranger plugins should use default service-def when it fails to obtain from Ranger Admin or cache

[Abhay Kulkarni (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-1578?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhay Kulkarni updated RANGER-1578:
---
   Affects Version/s: 0.7.0
Request participants:   (was: )
   Fix Version/s: 0.7.1

> Ranger plugins should use default service-def when it fails to obtain from 
> Ranger Admin or cache
> 
>
> Key: RANGER-1578
> URL: https://issues.apache.org/jira/browse/RANGER-1578
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Affects Versions: 0.7.0, master
>Reporter: Madhan Neethiraj
>Assignee: Abhay Kulkarni
> Fix For: master, 0.7.1
>
>
> Ranger plugins obtain service-def at runtime from Ranger Admin. This enables  
> the plugins to receive the latest service-def, which might have been updated 
> to use custom conditions, context-enrichers, etc. However, if the plugin 
> fails to obtain the service-def from Ranger Admin (or from local-cache), it 
> should use a default version of service-def - against which the plugin was 
> developed.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Re: Review Request 59247: Ranger plugins should use default service-def when it fails to obtain from Ranger Admin or cache

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59247/#review174872
---


Ship it!




Ship It!

- Madhan Neethiraj


On May 12, 2017, 11:54 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59247/
> ---
> 
> (Updated May 12, 2017, 11:54 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-1578
> https://issues.apache.org/jira/browse/RANGER-1578
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> If the plugin fails to obtain the service-def from Ranger Admin (or from 
> local-cache), plugin is initialized with a default version of service-def - 
> against which the plugin was developed.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  508ef93 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
>  5b13a2f 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
>  295272d 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
>  c5a4244 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
>  8f6311e 
> 
> 
> Diff: https://reviews.apache.org/r/59247/diff/2/
> 
> 
> Testing
> ---
> 
> In an Ambari deployed cluster: enabled Ranger for hive, and ensured that the 
> hive component cannot download policies from Ranger-admin. Tested 
> ranger-plugin by executing hive commands through beeline command-line tool 
> and verified that a. access to hive resource was denied, and b. audit log 
> records were created, and viewable through ranger-admin GUI.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 59247: Ranger plugins should use default service-def when it fails to obtain from Ranger Admin or cache

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59247/
---

(Updated May 12, 2017, 11:54 p.m.)


Review request for ranger and Madhan Neethiraj.


Changes
---

Addressed review comment.


Bugs: RANGER-1578
https://issues.apache.org/jira/browse/RANGER-1578


Repository: ranger


Description
---

If the plugin fails to obtain the service-def from Ranger Admin (or from 
local-cache), plugin is initialized with a default version of service-def - 
against which the plugin was developed.


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 508ef93 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 5b13a2f 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
 295272d 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java 
c5a4244 
  
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
 8f6311e 


Diff: https://reviews.apache.org/r/59247/diff/2/

Changes: https://reviews.apache.org/r/59247/diff/1-2/


Testing
---

In an Ambari deployed cluster: enabled Ranger for hive, and ensured that the 
hive component cannot download policies from Ranger-admin. Tested ranger-plugin 
by executing hive commands through beeline command-line tool and verified that 
a. access to hive resource was denied, and b. audit log records were created, 
and viewable through ranger-admin GUI.


Thanks,

Abhay Kulkarni

Re: Review Request 59247: Ranger plugins should use default service-def when it fails to obtain from Ranger Admin or cache

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59247/#review174870
---




agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 198 (patched)


Consider moving this to "default" case above.


- Madhan Neethiraj


On May 12, 2017, 10:41 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59247/
> ---
> 
> (Updated May 12, 2017, 10:41 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-1578
> https://issues.apache.org/jira/browse/RANGER-1578
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> If the plugin fails to obtain the service-def from Ranger Admin (or from 
> local-cache), plugin is initialized with a default version of service-def - 
> against which the plugin was developed.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  508ef93 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
>  5b13a2f 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
>  295272d 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
>  c5a4244 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
>  8f6311e 
> 
> 
> Diff: https://reviews.apache.org/r/59247/diff/1/
> 
> 
> Testing
> ---
> 
> In an Ambari deployed cluster: enabled Ranger for hive, and ensured that the 
> hive component cannot download policies from Ranger-admin. Tested 
> ranger-plugin by executing hive commands through beeline command-line tool 
> and verified that a. access to hive resource was denied, and b. audit log 
> records were created, and viewable through ranger-admin GUI.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

[jira] [Resolved] (RANGER-1574) The XAAUDIT.DB.PASSWORD property had been deleted in RANGER-900. The related redundant code should be deleted for plugin installer.

[Qiang Zhang (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-1574?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Qiang Zhang resolved RANGER-1574.
-
Resolution: Fixed

> The XAAUDIT.DB.PASSWORD property had been deleted in RANGER-900. The related 
> redundant code should be deleted for plugin installer.
> ---
>
> Key: RANGER-1574
> URL: https://issues.apache.org/jira/browse/RANGER-1574
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Affects Versions: 1.0.0
>Reporter: peng.jianhua
>Assignee: peng.jianhua
>Priority: Minor
>  Labels: patch
> Fix For: 1.0.0
>
> Attachments: 
> 0001-RANGER-1574-The-XAAUDIT.DB.PASSWORD-property-had-bee.patch
>
>
> The XAAUDIT.DB.PASSWORD property had been deleted in RANGER-900. The 
> following redundant code should be deleted for plugin installer because these 
> codes will never be executed.
> auditCredAlias="auditDBCred"  
> auditdbCred=$(getInstallProperty 'XAAUDIT.DB.PASSWORD')
> if [ "${auditdbCred}" != "" ]; then
>   create_jceks "${auditCredAlias}"  "${auditdbCred}"  "${CredFile}"
> I had checked the property for plugin-yarn, 
> plugin-solr,plugin-kafka,plugin-atlas,hive-agent,hdfs-agent and hbase-agent.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Re: Review Request 59221: RANGER-1574:The XAAUDIT.DB.PASSWORD property had been deleted in RANGER-900. The related redundant code should be deleted for plugin installer.

[Qiang Zhang]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59221/#review174866
---


Ship it!




Ship It!

- Qiang Zhang


On 五月 12, 2017, 1:20 p.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59221/
> ---
> 
> (Updated 五月 12, 2017, 1:20 p.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1574
> https://issues.apache.org/jira/browse/RANGER-1574
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> The XAAUDIT.DB.PASSWORD property had been deleted in RANGER-900. The 
> following redundant code should be deleted for plugin installer because these 
> codes will never be executed.
> auditCredAlias="auditDBCred"  
> auditdbCred=$(getInstallProperty 'XAAUDIT.DB.PASSWORD')
> if [ "${auditdbCred}" != "" ]; then
>   create_jceks "${auditCredAlias}"  "${auditdbCred}"  "${CredFile}"
> 
> I had checked the property for plugin-yarn, 
> plugin-solr,plugin-kafka,plugin-atlas,hive-agent,hdfs-agent and hbase-agent. 
> The test result shows that the modification is ok.
> 
> 
> Diffs
> -
> 
>   agents-common/scripts/enable-agent.sh d13875c 
>   hbase-agent/scripts/install.sh 265be1d 
>   hdfs-agent/scripts/install.sh ea88546 
>   hive-agent/scripts/install.sh fa19634 
>   knox-agent/scripts/install.sh 41322d3 
>   plugin-kms/scripts/enable-kms-plugin.sh 6101ef3 
>   storm-agent/scripts/install.sh 955ceb5 
> 
> 
> Diff: https://reviews.apache.org/r/59221/diff/2/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> pengjianhua
> 
>

Review Request 59247: Ranger plugins should use default service-def when it fails to obtain from Ranger Admin or cache

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59247/
---

Review request for ranger and Madhan Neethiraj.


Bugs: RANGER-1578
https://issues.apache.org/jira/browse/RANGER-1578


Repository: ranger


Description
---

If the plugin fails to obtain the service-def from Ranger Admin (or from 
local-cache), plugin is initialized with a default version of service-def - 
against which the plugin was developed.


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 508ef93 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 5b13a2f 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
 295272d 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java 
c5a4244 
  
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
 8f6311e 


Diff: https://reviews.apache.org/r/59247/diff/1/


Testing
---

In an Ambari deployed cluster: enabled Ranger for hive, and ensured that the 
hive component cannot download policies from Ranger-admin. Tested ranger-plugin 
by executing hive commands through beeline command-line tool and verified that 
a. access to hive resource was denied, and b. audit log records were created, 
and viewable through ranger-admin GUI.


Thanks,

Abhay Kulkarni

[jira] [Assigned] (RANGER-1578) Ranger plugins should use default service-def when it fails to obtain from Ranger Admin or cache

[Abhay Kulkarni (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-1578?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhay Kulkarni reassigned RANGER-1578:
--

Assignee: Abhay Kulkarni

> Ranger plugins should use default service-def when it fails to obtain from 
> Ranger Admin or cache
> 
>
> Key: RANGER-1578
> URL: https://issues.apache.org/jira/browse/RANGER-1578
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Reporter: Madhan Neethiraj
>Assignee: Abhay Kulkarni
>
> Ranger plugins obtain service-def at runtime from Ranger Admin. This enables  
> the plugins to receive the latest service-def, which might have been updated 
> to use custom conditions, context-enrichers, etc. However, if the plugin 
> fails to obtain the service-def from Ranger Admin (or from local-cache), it 
> should use a default version of service-def - against which the plugin was 
> developed.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Created] (RANGER-1578) Ranger plugins should use default service-def when it fails to obtain from Ranger Admin or cache

[Madhan Neethiraj (JIRA)]

Madhan Neethiraj created RANGER-1578:


 Summary: Ranger plugins should use default service-def when it 
fails to obtain from Ranger Admin or cache
 Key: RANGER-1578
 URL: https://issues.apache.org/jira/browse/RANGER-1578
 Project: Ranger
  Issue Type: Bug
  Components: plugins
Reporter: Madhan Neethiraj


Ranger plugins obtain service-def at runtime from Ranger Admin. This enables  
the plugins to receive the latest service-def, which might have been updated to 
use custom conditions, context-enrichers, etc. However, if the plugin fails to 
obtain the service-def from Ranger Admin (or from local-cache), it should use a 
default version of service-def - against which the plugin was developed.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Review Request 59245: RANGER-1577:Update Ranger-WASB servicedefinition to remove Execute permission and disallow policies with a trailing slash

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59245/
---

Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, and Velmurugan 
Periasamy.


Repository: ranger


Description
---

RANGER-1577:Update Ranger-WASB servicedefinition to remove Execute permission 
and disallow policies with a trailing slash


Diffs
-

  agents-common/src/main/resources/service-defs/ranger-servicedef-wasb.json 
038ebaf 


Diff: https://reviews.apache.org/r/59245/diff/1/


Testing
---


Thanks,

Ramesh Mani

[jira] [Created] (RANGER-1577) Update Ranger-WASB servicedefinition to remove Execute permission and disallow policies with a trailing slash

[Ramesh Mani (JIRA)]

Ramesh Mani created RANGER-1577:
---

 Summary: Update Ranger-WASB servicedefinition to remove Execute 
permission and disallow policies with a trailing slash
 Key: RANGER-1577
 URL: https://issues.apache.org/jira/browse/RANGER-1577
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Affects Versions: master
Reporter: Ramesh Mani
Assignee: Ramesh Mani
 Fix For: master


Update Ranger-WASB servicedefinition to remove Execute permission and disallow 
policies with a trailing slash



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Re: Authorization for policy downloads

[Velmurugan Periasamy]

Hi Colm:

In kerberized environments, /service/plugins/secure/policies/download should
be used for download and will be restricted to valid plugins as you pointed
out. /service/plugins/policies will need to be protected by two way SSL and
exists for backward compatibility.

Thanks,
Vel

From:  Colm O hEigeartaigh 
Reply-To:  "dev@ranger.apache.org" ,
"cohei...@apache.org" 
Date:  Tuesday, May 2, 2017 at 8:50 AM
To:  "dev@ranger.apache.org" 
Subject:  Authorization for policy downloads

Hi all,

A quick question for something that is puzzling me. I can download policies
from then Admin service with no credentials like e.g.:

curl -v http://localhost:6080/service/plugins/policies/download/cl1_hadoop

However, when my kerberized HDFS plugin tries to pull policies down (as the
"hdfs" user), I get an authorization error that the user is not allowed to
download the policies. I have to edit the "cl1_hadoop" configuration and
add the "hdfs" user to the "policy.download.auth.users" property.

Why is this step necessary when I can just download the policies with no
credentials with curl? Are we looking at a security issue here?

Colm.


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: Review Request 59221: RANGER-1574:The XAAUDIT.DB.PASSWORD property had been deleted in RANGER-900. The related redundant code should be deleted for plugin installer.

[Colm O hEigeartaigh]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59221/#review174810
---


Ship it!




Ship It!

- Colm O hEigeartaigh


On May 12, 2017, 1:20 p.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59221/
> ---
> 
> (Updated May 12, 2017, 1:20 p.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1574
> https://issues.apache.org/jira/browse/RANGER-1574
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> The XAAUDIT.DB.PASSWORD property had been deleted in RANGER-900. The 
> following redundant code should be deleted for plugin installer because these 
> codes will never be executed.
> auditCredAlias="auditDBCred"  
> auditdbCred=$(getInstallProperty 'XAAUDIT.DB.PASSWORD')
> if [ "${auditdbCred}" != "" ]; then
>   create_jceks "${auditCredAlias}"  "${auditdbCred}"  "${CredFile}"
> 
> I had checked the property for plugin-yarn, 
> plugin-solr,plugin-kafka,plugin-atlas,hive-agent,hdfs-agent and hbase-agent. 
> The test result shows that the modification is ok.
> 
> 
> Diffs
> -
> 
>   agents-common/scripts/enable-agent.sh d13875c 
>   hbase-agent/scripts/install.sh 265be1d 
>   hdfs-agent/scripts/install.sh ea88546 
>   hive-agent/scripts/install.sh fa19634 
>   knox-agent/scripts/install.sh 41322d3 
>   plugin-kms/scripts/enable-kms-plugin.sh 6101ef3 
>   storm-agent/scripts/install.sh 955ceb5 
> 
> 
> Diff: https://reviews.apache.org/r/59221/diff/2/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> pengjianhua
> 
>

Re: Review Request 59221: RANGER-1574:The XAAUDIT.DB.PASSWORD property had been deleted in RANGER-900. The related redundant code should be deleted for plugin installer.

[pengjianhua]

> On May 12, 2017, 10:07 a.m., Colm O hEigeartaigh wrote:
> > Why not remove it from the install scripts as well? e.g.
> > 
> > grep -rl "XAAUDIT.DB.PASSWORD" *
> > agents-common/scripts/enable-agent.sh
> > hbase-agent/scripts/install.sh
> > hdfs-agent/scripts/install.sh
> > hive-agent/scripts/install.sh
> > knox-agent/scripts/install.sh
> > plugin-kms/scripts/enable-kms-plugin.sh
> > storm-agent/scripts/install.sh
> 
> pengjianhua wrote:
> Ok. I will carefully analyze these scripts and verify their 
> functionality. I will remove these redundant codes if the verification result 
> is ok.

Ok. I checked these files and remove it from these installers.The patch had 
been updated.Thanks.


- pengjianhua


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59221/#review174773
---


On May 12, 2017, 1:20 p.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59221/
> ---
> 
> (Updated May 12, 2017, 1:20 p.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1574
> https://issues.apache.org/jira/browse/RANGER-1574
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> The XAAUDIT.DB.PASSWORD property had been deleted in RANGER-900. The 
> following redundant code should be deleted for plugin installer because these 
> codes will never be executed.
> auditCredAlias="auditDBCred"  
> auditdbCred=$(getInstallProperty 'XAAUDIT.DB.PASSWORD')
> if [ "${auditdbCred}" != "" ]; then
>   create_jceks "${auditCredAlias}"  "${auditdbCred}"  "${CredFile}"
> 
> I had checked the property for plugin-yarn, 
> plugin-solr,plugin-kafka,plugin-atlas,hive-agent,hdfs-agent and hbase-agent. 
> The test result shows that the modification is ok.
> 
> 
> Diffs
> -
> 
>   agents-common/scripts/enable-agent.sh d13875c 
>   hbase-agent/scripts/install.sh 265be1d 
>   hdfs-agent/scripts/install.sh ea88546 
>   hive-agent/scripts/install.sh fa19634 
>   knox-agent/scripts/install.sh 41322d3 
>   plugin-kms/scripts/enable-kms-plugin.sh 6101ef3 
>   storm-agent/scripts/install.sh 955ceb5 
> 
> 
> Diff: https://reviews.apache.org/r/59221/diff/2/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> pengjianhua
> 
>

Re: Review Request 59221: RANGER-1574:The XAAUDIT.DB.PASSWORD property had been deleted in RANGER-900. The related redundant code should be deleted for plugin installer.

[pengjianhua]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59221/
---

(Updated May 12, 2017, 1:20 p.m.)


Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
Neethiraj, Velmurugan Periasamy, and Qiang Zhang.


Bugs: RANGER-1574
https://issues.apache.org/jira/browse/RANGER-1574


Repository: ranger


Description
---

The XAAUDIT.DB.PASSWORD property had been deleted in RANGER-900. The following 
redundant code should be deleted for plugin installer because these codes will 
never be executed.
auditCredAlias="auditDBCred"
auditdbCred=$(getInstallProperty 'XAAUDIT.DB.PASSWORD')
if [ "${auditdbCred}" != "" ]; then
create_jceks "${auditCredAlias}"  "${auditdbCred}"  "${CredFile}"

I had checked the property for plugin-yarn, 
plugin-solr,plugin-kafka,plugin-atlas,hive-agent,hdfs-agent and hbase-agent. 
The test result shows that the modification is ok.


Diffs (updated)
-

  agents-common/scripts/enable-agent.sh d13875c 
  hbase-agent/scripts/install.sh 265be1d 
  hdfs-agent/scripts/install.sh ea88546 
  hive-agent/scripts/install.sh fa19634 
  knox-agent/scripts/install.sh 41322d3 
  plugin-kms/scripts/enable-kms-plugin.sh 6101ef3 
  storm-agent/scripts/install.sh 955ceb5 


Diff: https://reviews.apache.org/r/59221/diff/2/

Changes: https://reviews.apache.org/r/59221/diff/1-2/


Testing
---


Thanks,

pengjianhua

Re: Review Request 59227: RANGER-1576: Show attribute values to tags column in audit log

[Velmurugan Periasamy]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59227/#review174782
---


Ship it!




Ship It!

- Velmurugan Periasamy


On May 12, 2017, 12:02 p.m., Gautam Borad wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59227/
> ---
> 
> (Updated May 12, 2017, 12:02 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, 
> Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1576
> https://issues.apache.org/jira/browse/RANGER-1576
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Currently in the access audit log record (Audit Menu-> admin tab), the tags 
> column is populated when the accessed resource has any tags associated with 
> it. 
> However, if the tag has any attributes, their values are not shown in the 
> audit log record. As authorization decision may be based on the 
> attribute-value(s) as well as tag-type (such as in the case of expiry_date 
> attribute’s value for EXPIRES_ON tag-type), they too need to be populated and 
> displayed on audit log record.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js 
> 08aa95acc14d0b3e2e73b3b9ef8d9406af4f980f 
>   security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 
> b98e2cc96cfe4b683ac2929546e1951633c1bb94 
>   security-admin/src/main/webapp/styles/xa.css 
> 06ef1d0b4b74717c6c4723a18b4ac7a53dcc7079 
> 
> 
> Diff: https://reviews.apache.org/r/59227/diff/1/
> 
> 
> Testing
> ---
> 
> Tested that on the Audits page, all records that has tag attributes are shown 
> as hyper link and on clicking on these the attritubes are shown.
> 
> 
> Thanks,
> 
> Gautam Borad
> 
>

Review Request 59227: RANGER-1576: Show attribute values to tags column in audit log

[Gautam Borad]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59227/
---

Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, 
Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and 
Velmurugan Periasamy.


Bugs: RANGER-1576
https://issues.apache.org/jira/browse/RANGER-1576


Repository: ranger


Description
---

Currently in the access audit log record (Audit Menu-> admin tab), the tags 
column is populated when the accessed resource has any tags associated with it. 
However, if the tag has any attributes, their values are not shown in the audit 
log record. As authorization decision may be based on the attribute-value(s) as 
well as tag-type (such as in the case of expiry_date attribute’s value for 
EXPIRES_ON tag-type), they too need to be populated and displayed on audit log 
record.


Diffs
-

  security-admin/src/main/webapp/scripts/utils/XAUtils.js 
08aa95acc14d0b3e2e73b3b9ef8d9406af4f980f 
  security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 
b98e2cc96cfe4b683ac2929546e1951633c1bb94 
  security-admin/src/main/webapp/styles/xa.css 
06ef1d0b4b74717c6c4723a18b4ac7a53dcc7079 


Diff: https://reviews.apache.org/r/59227/diff/1/


Testing
---

Tested that on the Audits page, all records that has tag attributes are shown 
as hyper link and on clicking on these the attritubes are shown.


Thanks,

Gautam Borad

[jira] [Updated] (RANGER-1576) Show attribute values to tags column in audit log

[Gautam Borad (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-1576?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gautam Borad updated RANGER-1576:
-
Attachment: RANGER-1576.patch

> Show attribute values to tags column in audit log
> -
>
> Key: RANGER-1576
> URL: https://issues.apache.org/jira/browse/RANGER-1576
> Project: Ranger
>  Issue Type: Bug
>  Components: admin, Ranger
>Affects Versions: 0.7.0
>Reporter: Gautam Borad
>Assignee: Gautam Borad
> Fix For: 1.0.0, 0.7.1
>
> Attachments: RANGER-1576.patch
>
>
> Currently in the access audit log record (Audit Menu-> admin tab), the tags 
> column is populated when the accessed resource has any tags associated with 
> it. 
> However, if the tag has any attributes, their values are not shown in the 
> audit log record. As authorization decision may be based on the 
> attribute-value(s) as well as tag-type (such as in the case of expiry_date 
> attribute’s value for EXPIRES_ON tag-type), they too need to be populated and 
> displayed on audit log record.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Created] (RANGER-1576) Show attribute values to tags column in audit log

[Gautam Borad (JIRA)]

Gautam Borad created RANGER-1576:


 Summary: Show attribute values to tags column in audit log
 Key: RANGER-1576
 URL: https://issues.apache.org/jira/browse/RANGER-1576
 Project: Ranger
  Issue Type: Bug
  Components: admin, Ranger
Affects Versions: 0.7.0
Reporter: Gautam Borad
Assignee: Gautam Borad
 Fix For: 1.0.0, 0.7.1


Currently in the access audit log record (Audit Menu-> admin tab), the tags 
column is populated when the accessed resource has any tags associated with it. 
However, if the tag has any attributes, their values are not shown in the audit 
log record. As authorization decision may be based on the attribute-value(s) as 
well as tag-type (such as in the case of expiry_date attribute’s value for 
EXPIRES_ON tag-type), they too need to be populated and displayed on audit log 
record.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Re: Review Request 59221: RANGER-1574:The XAAUDIT.DB.PASSWORD property had been deleted in RANGER-900. The related redundant code should be deleted for plugin installer.

[pengjianhua]

> On 五月 12, 2017, 10:07 a.m., Colm O hEigeartaigh wrote:
> > Why not remove it from the install scripts as well? e.g.
> > 
> > grep -rl "XAAUDIT.DB.PASSWORD" *
> > agents-common/scripts/enable-agent.sh
> > hbase-agent/scripts/install.sh
> > hdfs-agent/scripts/install.sh
> > hive-agent/scripts/install.sh
> > knox-agent/scripts/install.sh
> > plugin-kms/scripts/enable-kms-plugin.sh
> > storm-agent/scripts/install.sh

Ok. I will carefully analyze these scripts and verify their functionality. I 
will remove these redundant codes if the verification result is ok.


- pengjianhua


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59221/#review174773
---


On 五月 12, 2017, 2:51 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59221/
> ---
> 
> (Updated 五月 12, 2017, 2:51 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1574
> https://issues.apache.org/jira/browse/RANGER-1574
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> The XAAUDIT.DB.PASSWORD property had been deleted in RANGER-900. The 
> following redundant code should be deleted for plugin installer because these 
> codes will never be executed.
> auditCredAlias="auditDBCred"  
> auditdbCred=$(getInstallProperty 'XAAUDIT.DB.PASSWORD')
> if [ "${auditdbCred}" != "" ]; then
>   create_jceks "${auditCredAlias}"  "${auditdbCred}"  "${CredFile}"
> 
> I had checked the property for plugin-yarn, 
> plugin-solr,plugin-kafka,plugin-atlas,hive-agent,hdfs-agent and hbase-agent. 
> The test result shows that the modification is ok.
> 
> 
> Diffs
> -
> 
>   agents-common/scripts/enable-agent.sh d13875c 
> 
> 
> Diff: https://reviews.apache.org/r/59221/diff/1/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> pengjianhua
> 
>

Re: Review Request 59221: RANGER-1574:The XAAUDIT.DB.PASSWORD property had been deleted in RANGER-900. The related redundant code should be deleted for plugin installer.

[Colm O hEigeartaigh]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59221/#review174773
---



Why not remove it from the install scripts as well? e.g.

grep -rl "XAAUDIT.DB.PASSWORD" *
agents-common/scripts/enable-agent.sh
hbase-agent/scripts/install.sh
hdfs-agent/scripts/install.sh
hive-agent/scripts/install.sh
knox-agent/scripts/install.sh
plugin-kms/scripts/enable-kms-plugin.sh
storm-agent/scripts/install.sh

- Colm O hEigeartaigh


On May 12, 2017, 2:51 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59221/
> ---
> 
> (Updated May 12, 2017, 2:51 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1574
> https://issues.apache.org/jira/browse/RANGER-1574
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> The XAAUDIT.DB.PASSWORD property had been deleted in RANGER-900. The 
> following redundant code should be deleted for plugin installer because these 
> codes will never be executed.
> auditCredAlias="auditDBCred"  
> auditdbCred=$(getInstallProperty 'XAAUDIT.DB.PASSWORD')
> if [ "${auditdbCred}" != "" ]; then
>   create_jceks "${auditCredAlias}"  "${auditdbCred}"  "${CredFile}"
> 
> I had checked the property for plugin-yarn, 
> plugin-solr,plugin-kafka,plugin-atlas,hive-agent,hdfs-agent and hbase-agent. 
> The test result shows that the modification is ok.
> 
> 
> Diffs
> -
> 
>   agents-common/scripts/enable-agent.sh d13875c 
> 
> 
> Diff: https://reviews.apache.org/r/59221/diff/1/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> pengjianhua
> 
>

[jira] [Commented] (RANGER-1571) Code Improvement To Follow Best Practices

[Gautam Borad (JIRA)]

[ 
https://issues.apache.org/jira/browse/RANGER-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16007824#comment-16007824
 ] 

Gautam Borad commented on RANGER-1571:
--

Committed to master : fa38ed737d8696519d39b0cc53c128141e29edc6
Committed to ranger-0.7 : 3999d5b6a2f93ef72bdf1deea45d7abbe4268652

> Code Improvement To Follow Best Practices
> -
>
> Key: RANGER-1571
> URL: https://issues.apache.org/jira/browse/RANGER-1571
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: bhavik patel
>Assignee: bhavik patel
> Fix For: 1.0.0, 0.7.1
>
> Attachments: RANGER-1571-07-01.patch, RANGER-1571-07-02.patch, 
> RANGER-1571-master-01.patch, RANGER-1571-master.patch
>
>
> Code Improvement To Follow Best Practices



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Updated] (RANGER-1571) Code Improvement To Follow Best Practices

[Gautam Borad (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gautam Borad updated RANGER-1571:
-
Fix Version/s: 1.0.0

> Code Improvement To Follow Best Practices
> -
>
> Key: RANGER-1571
> URL: https://issues.apache.org/jira/browse/RANGER-1571
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: bhavik patel
>Assignee: bhavik patel
> Fix For: 1.0.0, 0.7.1
>
> Attachments: RANGER-1571-07-01.patch, RANGER-1571-07-02.patch, 
> RANGER-1571-master-01.patch, RANGER-1571-master.patch
>
>
> Code Improvement To Follow Best Practices



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Created] (RANGER-1575) Some users hope that the pid file of the Ranger Admin can be unified management when they integrate Ranger into the big data platform or business systems to uniform inst

[peng.jianhua (JIRA)]

peng.jianhua created RANGER-1575:


 Summary: Some users hope that the pid file of the Ranger Admin can 
be unified management when they integrate Ranger into the big data platform or 
business systems to uniform install and run Ranger.
 Key: RANGER-1575
 URL: https://issues.apache.org/jira/browse/RANGER-1575
 Project: Ranger
  Issue Type: New Feature
  Components: admin
Affects Versions: 1.0.0
Reporter: peng.jianhua
Assignee: peng.jianhua
Priority: Minor
 Fix For: 1.0.0


Some users hope that the pid file of the Ranger Admin can be unified management 
when they integrate Ranger into the big data platform or business systems to 
uniform install and run Ranger. 
We should support the need in the case of compatibility with existing logic. 
When running ranger, users can set the pid file to meet their own needs.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)